Figure1. Chronology of events

In response to these risks, DFi Service decided to deploy a massive incident response plan for all managed customers, to cover the following aspects

• Identification of impacted servers
• Patching of vulnerable servers
• Identification of signs of compromise
• Cleaning up malicious files

These actions could be completed by DFi Service with more advanced analyses in order to identify a potential post-exploitation risk (forensic analyses) or by integrating advanced detection solutions (Security Operations Center, EDR, etc.)

In addition to the incident response plan, DFi Service has contacted all of its managed customers affected in order to propose recommendations adapted to the context, environment and architecture of the customer.

Recommendations and security principles :

To guarantee better protection of Exchange mail servers, DFi Service recommends applying the following best practices:

• Adopt the principle of secure architecture by design to avoid making the Exchange server directly accessible from the Internet:
• Set up a web application firewall (WAF) to filter and secure incoming web flows
• Implementation of an SMTP bastion to secure incoming and outgoing SMTP flows
• Set up a WEB bastion or proxy to filter outgoing web flows from the mail server
• Maintain and deploy patches on the entire information system
• Define an incident response policy, enabling the actions to be taken when major security incidents occur.
• Integrate advanced detection solutions:
• SIEM/SOC service to monitor the entire information system and provide real-time detection
• EDR Antivirus to increase security on workstations
• Define an appropriate backup and recovery strategy
• Define an incident response strategy to undertake the right actions

For all these principles, DFi Service can offer you customised support.